Microsoft Patches Two Critical, Actively Exploited Vulnerabilities

Microsoft released a slew of updates this Patch Tuesday, including patches for two critical vulnerabilities that are being actively exploited in the wild. In total, 95 vulnerabilities were addressed yesterday, eighteen of which have been rated critical and 76 as important.

The two actively exploited vulnerabilities are of most concern, in fact one is so serious that Microsoft took the decision to issue a patch for Windows XP, even though extended support for the outdated operating system ended in April 2014. As with the emergency patch issued last month shortly after the WannaCry ransomware attacks, the vulnerability was considered so severe it warranted a patch.

Adrienne Hall, general manager of Microsoft’s Cyber Defense Operations Center, explained the decision to issue a patch for Windows XP saying, “Due to the elevated risk for destructive cyberattacks at this time, we made the decision to take this action because applying these updates provides further protection against potential attacks with characteristics similar to WannaCrypt.”

The flaw – CVE-2017-8543 – exists in the Windows Server Message Block (SMB) service. It was also a SMB service vulnerability that was exploited in the recent WannaCry ransomware attacks that spread to more than 300,000 devices in 150 countries on May 12.

CVE-2017-8543 could similarly be exploited by cybercriminals to install malware with wormlike capabilities, allowing infections to spread rapidly across a network. The flaw exists in most Windows versions, including Windows XP, Windows 7, Windows 8.1 and Windows 10, as well as Microsoft Server 2003, 2008, 2012 and 2016. Microsoft has also issued a patch for Microsoft Server 2003.

As with the WannaCry attacks, the vulnerability could be exploited without any user interaction required. A remote unauthenticated user could trigger the vulnerability via a SMB connection. If exploited, the attacker could take control of the infected device. Since this vulnerability is being actively exploited in the wild, it is essential that the patch is applied promptly.

The other critical – and actively exploited – flaw is CVE-2017-8464: A LNK remote code execution vulnerability. This vulnerability can be exploited using a specially crafted shortcut file.

While not believed to be exploited at present, a memory corruption vulnerability in Outlook (CVE-2017-8507) is of particular concern. An attacker could exploit the vulnerability simply by sending a specially crafted message to an Outlook user. The vulnerability would be triggered when the user views the message, giving the attacker full control of their computer. No attachment would need to be opened in order for the vulnerability to be exploited.

CVE-2017-8527 could also potentially be exploited with little user interaction required. A user would only be required to visit a website with specially crafted fonts.

Patches have also been issued for remote code execution vulnerabilities in Microsoft Edge and Internet Explorer. These flaws are not being actively exploited at present, although the flaws have been publicly disclosed so it is only a matter of time before attacks occur.

In addition to the patches released by Microsoft, Adobe has similarly issued a round of updates. In total, 21 vulnerabilities have been addressed, 15 of which have been rated critical. Four products have been updated – Flash, Shockwave, Captivate and Adobe Digital Editions.

While Microsoft has now issued patches for unsupported operating systems on two occasions in the past 30 days, this should not be taken as a sign that flaws will continue to be addressed. Any organization still using unsupported operating systems should ensure those systems are upgraded to supported Windows versions as soon as possible. Further flaws are likely to be discovered, but Microsoft is unlikely to continue to release patches.

Eric Doerr, general manager of the Microsoft Security Response Center said, “Our decision today to release these security updates for platforms not in extended support should not be viewed as a departure from our standard servicing policies.”

About HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines. HIPAA Journal's goal is to assist HIPAA-covered entities achieve and maintain compliance with state and federal regulations governing the use, storage and disclosure of PHI and PII.